Answered: [Security threat] tags are not sanitized in extra question field

Post date: 2020-07-01 00:44:51
Views: 318

Hey q2apro, I think you are testing the default q_view_extra($q_view); function.

The default function is still safe. But if you pull the content from the databse, it's not safe.

First, look! The script is stored in database.

database

Second, if create a function to pull that content form the datase:

public function q_item_extra($q_item)
{
$postidz = $q_item'raw']'postid'];
$extra = qa_db_read_one_value(qa_db_query_sub(
       'SELECT content FROM ^postmetas WHERE title="qa_q_extra" AND postid=#',
        $postidz
   ), true);
 
 //$extra = $q_item'extra']'content'];
 
        $this->output('My info:'.$extra);   
   
}

Here's the result:

test

I hope you'll get my point.

Please click Here to read the full story.
 
Other Top and Latest Questions:
ASML rises 4% after hiking sales forecast for second time this year on strong AI chip demand
Yum's Taco Bell removes select items, says no confirmed link to U.S. cyclosporiasis outbreak
Not really a fan of nature, are you?
Help with vegetarian meal prep (post root canal)
Post-termination Professional Leave due to Autism
Economic outlook is worsening and Trump is getting blamed, CNBC survey finds
Lucid dismisses report that it is weighing filing for bankruptcy or going private after shares plunge
Social Security cost-of-living adjustment estimate for 2027 falls as inflation cools
United Airlines' new upsell: Keeping other travelers out of the middle seat
U.S. trade official says 'very few' Nvidia H200 AI chips have been shipped to China